Since ansible-core 2.10 it is recommended to use modules via FQCN
In order to align with recommendation, we perform migration
by applying suggestions made by `ansible-lint --fix=fqcn`
Change-Id: I335f0f1bcdb5e5564ce3f82f44eec7d8c6ab4e0e
In order to reduce divergance with ansible-lint rules, we apply
auto-fixing of violations.
In current patch we replace all kind of truthy variables with
`true` or `false` values to align with recommendations along with
alignment of used quotes.
Change-Id: Ie1737a7f88d783e39492c704bb6805c89a199553
This change matches an earlier modification to os_neutron
Currently we symlink /etc/<service> to empty directory at pre-stage,
and filling it with config only during post_install. This means,
that policies and rootwrap filters are not working properly until
playbook execution finish. Additionally, we replace sudoers file
with new path in it, which makes current operations impossible for
the service, since rootwrap can not gain sudo privileges.
With this change we move symlinking and rootwrap steps to handlers,
which means that we will do replace configs while service is stopped.
During post_install we place all of the configs inside the venv,
which is versioned at the moment.
This way we minimise downtime of the service while performing upgrades
Closes-Bug: #2056180
Change-Id: I9c8212408c21e09895ee5805011aecb40b689a13
In case compute nodes using non-standard SSH port or some other
hacky connection between each other, deployers might need to
supply extra configuration inside it.
community.general.ssh_config module was not used, as it requires extra
`paramiko` module to be installed on each destination host.
Change-Id: Ic79aa391e729adf61f5653dd3cf72fee1708e2f5
With update of ansible version having variables in conditions is not
allowed anymore, which results in error like:
`Conditional is marked as unsafe, and cannot be evaluated`
Change-Id: I6e8e0ee1ffc2c154bac0f64f2e797281d7ba966f
<service>-config tags are quite broad and have a long execution
time. Where you only need to modify a service's '.conf' file and
similar it is useful to have a quicker method to do so.
Change-Id: Idf0a0a7033d8f6c4d6efebff456ea3f19ea81185
In order to be able to globally enable notification reporting for all services,
without an need to have ceilometer deployed or bunch of overrides for each
service, we add `oslomsg_notify_enabled` variable that aims to control
behaviour of enabled notifications.
Presence of ceilometer is still respected by default and being referenced.
Potential usecase are various billing panels that do rely on notifications
but do not require presence of Ceilometer.
Change-Id: Ib5d4f174be922f9b6f5ece35128a604fddb58e59
In order to allow definition of policies per service, we need to add variables
so service roles, that will be passed to openstack.osa.mq_setup.
Currently this can be handled by leveraging group_vars and overriding `oslomsg_rpc_policies` as a whole, but it's not obvious and
can be non-trivial for some groups which are co-locating multiple services
or in case of metal deployments.
Change-Id: I6a4989df2cd53cc50faae120e96aa4480268f42d
This patch proposes to move condition on when to install certificates from
the role include statement to a combined "view" for API and Consoles.
While adding computes to the same logic might be beneficial for CI and
AIO metal deployments, it potentially might have a negative effect for
real deployments, as it will create bunch of Skipped tasks for computes
so we leave them separated.
With that API and Console are usually placed on same hosts, so it makes
sense to distribute certs towards them once but keeping possibility of
different hosts in mind.
Change-Id: I8e28a79a6e3a5be1fe54004ea1d2c3a3ccdc20bc
Add variable nova_cell_force_update to enable deployers to ensure that
role execution will also update cell mappings whenever that is needed.
For instance, it could be password rotation or intention to update MySQL
address.
Change-Id: I5b99d58a5c4d27a363306361544c5d80759483fd
in cases when non-standard path to nova instances is configured with nova_system_home_folder variable there may be problems with instances spawning due to libvirt virt-aa-helper missing permission in apparmor profile, this commit resolves this
Change-Id: I3d37eb5a9635044570690370dfcbc060ff4d9e49
In case when ceph is not being used as backend for nova, qemu.conf
file is not distributed, thus some settings, like nova_qemu_vnc_tls do
not have any effect
Closes-Bug: #2003749
Change-Id: I4bc68567cda57d73d030d9a5017cc411f7ee7732
In usecases where only cinder is using ceph we currently do not
execute ceph_client role, which makes nodes failing to spawn instances
from RBD volumes.
Sample usecase where Glance might be using Swift and it might be desired to use
local storage for Nova ephemeral drives, but cinder spawning volumes
on Ceph
Currently this can be workarounded with setting `nova_rbd_inuse: True` but
at the same time `nova_libvirt_images_rbd_pool: ''`, though this is
counter-intuitive and this patch aims to improve this.
Change-Id: I412d1e9ccb51f0cd33a98333bfa1a01510867fbe
This is a follow-up change to [1]. Depending on operating system and
environment configuration, default libvirt network may not exist.
Right now, `Check for libvirt default network` task throws an error in
this case causing nova playbook to fail.
This change fixes that by instructing ansible to not throw an error
if `virsh net-list` fails with "Network not found: no network with
matching name" because it is acceptable to not have this network.
[1] https://review.opendev.org/c/openstack/openstack-ansible-os_nova/+/899768
Change-Id: If692bc94f421bc84ad9e6d43f548b68196a9e751
Currently, autostart for libvirt default network is disabled only when
this network is active during nova playbook execution.
It's an incorrect behavior because in some cases this network may not be
active from the beginning.
Autostart should be always disabled to ensure that this network will not
be unexpectedly marked as active in the future(during package upgrade,
host reboot etc.).
Closes-Bug: #2042369
Change-Id: I697234bda1601b534ce1b6ab186fa98f83179ee8
For quite some time, we relate usage of --by-service flag for
nova-manage cell_v2 discover_hosts command to the used nova_virt_type.
However, we run db_post_setup tasks only once and delegating to the
conductor host. With latest changes to the logic, when this task in
included from the playbook level it makes even less sense, since
definition of nova_virt_type for conductor is weird and wrong.
Instead, we attempt to detect if ironic is in use by checking hostvars
of all compute nodes for that. It will include host_vars, group_vars,
all sort of extra variables, etc.
Thus, ironic hosts should be better discovered now with nova-manage
command.
Related-Bug: #2034583
Change-Id: I3deea859a4017ff96919290ba50cb375c0f960ea
We have migrated to usage of ssh_keypairs role a while ago and we
can remove old migration clean-up task.
Change-Id: Ie3cbeb4bd41d3137f2332f28dbc72c8028fb5b3a
With transition to ssh-certificates for nova authorization, we no longer
need to generate and have SSH certificates for the nova user.
Change-Id: Iff105bafc177271cb59fb0662d4c139f56e64325
Due to some bugs delegation of tasks from compute to conductor hosts
does not work in real life. Due to that task import was moved to
the playbook level using role import in combination with tasks_from.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/897570
Change-Id: I777b1c90f57c805bc0a8593b5a5c7e63e43c4cd8
This change implements and enables by default quorum support
for rabbitmq as well as providing default variables to globally tune
it's behaviour.
In order to ensure upgrade path and ability to switch back to HA queues
we change vhost names with removing leading `/`, as enabling quorum
requires to remove exchange which is tricky thing to do with running
services.
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-plugins/+/875399
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/873618
Change-Id: I792595dac8b651debcd364cd245145721575a516
When Nova is deployed with a mix of x86 and arm systems
(for example), it may be necessary to deploy both 'novnc' and
'serialconsole' proxy services on the same host in order to
service the mixed compute estate.
This patch introduces a list which defines the required proxy
console types.
Change-Id: I93cece8babf35854e5a30938eeb9b25538fb37f6
With update of ansible-lint to version >=6.0.0 a lot of new
linters were added, that enabled by default. In order to comply
with linter rules we're applying changes to the role.
With that we also update metdata to reflect current state.
Depends-On: https://review.opendev.org/c/openstack/ansible-role-systemd_service/+/888223
Change-Id: I730ae569f199fc8542a5a61beb149f459465d7e2
Running nova playbook with tag limit may lead to an error:
The conditional check 'nova_virt_type != 'ironic'' failed. The error
was: error while evaluating conditional (nova_virt_type != 'ironic'):
'nova_virt_type' is undefined\n\nThe error appears to be in
'/etc/ansible/roles/os_nova/tasks/main.yml': line 289, column 3, but
may be elsewhere in the file depending on the exact syntax problem.
It can be easily fixed by applying always tag to tasks from
nova_virt_detect.yml
Change-Id: I56aee80180804b8a3e3316cffc6fa8115513b8f1
We're adding 2 services that are responsible for executing db purge and
archive_deleted_rows. Services will be deployed by default, but left
stopped/disabled. This way we allow deployers to enable/disable
feature by changing value of nova_archive/purge_deleted.
Otherwise, when variables set to true once, setting them to false won't
lead to stopoing of DB trimming and that would need to be done manualy.
Change-Id: I9f110f663fae71f5f3c01c6d09e6d1302d517466
By overriding the variable `nova_backend_ssl: True` HTTPS will
be enabled, disabling HTTP support on the nova backend api.
The ansible-role-pki is used to generate the required TLS
certificates if this functionality is enabled.
`nova_pki_console_certificates` are used to encrypt:
- traffic between console proxy and compute hosts
`nova_pki_certificates` are used to encrypt:
- traffic between haproxy and its backends(including console proxy)
It would be complex to use nova_pki_console_certificates to encrypt
traffic between haproxy and console proxy because they don't have valid
key_usage for that and changing key_usage would require to manually set
`pki_regen_cert` for existing environments.
Certs securing traffic between haproxy and console proxy are provided in
execstarts because otherwise they would have to be defined in nova.conf
that may be shared with nova-api(which stands behind uwsgi and should
not use TLS).
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/879085
Change-Id: Ibff3bf0b5eedc87c221bbb1b5976b12972fda608
When import is used ansible loads imported role or tasks which
results in plenty of skipped tasks which also consume time. With
includes ansible does not try to load play so time not wasted on
skipping things.
Depends-On: https://review.opendev.org/c/openstack/ansible-role-uwsgi/+/880344
Change-Id: I47c6623e166254802ed0b479b2353c5f2ceb5cfa
At the moment, we do deploy openrc file on conductors and delegate
task to them. At the moment there is no good reason to do so,
since we're actively utilizing service_setup_host for all interactions
with API. With that we also replace `openstack` commands with native
compute_service_info module that provides all information we need.
Change-Id: I016ba4c5dd211c5165a74a6011da7bb384c7a82a
According to nova rolling upgrade process [1], online_data_migrations
should run once all the services are running the latest version of the
code and were restarted. With that, we should move online migrations
after handlers being flushed, when all services are restarted.
At the same time, nova-status upgrade check must run before services
are restarted to the new version, as service restart might lead to
service breakage if upgrade check fails [2]. It makes no sense to
run upgrade check when upgrade is fully finished.
[1] https://docs.openstack.org/nova/latest/admin/upgrades.html#rolling-upgrade-process
[2] https://docs.openstack.org/nova/latest/cli/nova-status.html#upgrade
Change-Id: Ic681f73a09bb0ac280c227f85c6e79b31fd3429a
Calico driver support has been removed from OpenStack-Ansible
starting in Antelope release [1]. We clean-up nove role to drop calico
support from it as well.
[1] https://review.opendev.org/c/openstack/openstack-ansible/+/866119
Change-Id: Ie9c118b8bab265e5bf06b6ec05731cd673ee4d95
RDO packages for nova does depend on python3-openvswitch,
which makes it required to install OVS on computes regardless
of everything else.
We also clean out pre-rhel9 variable files as they're not needed anymore
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/872896
Change-Id: I3e31254b7dd1c0ff3cb46153cefce6f6cadd52aa
When Galera SSL is enabled, use SSL encrypted database connections with
nova-manage commands where a connection string is provided.
Change-Id: I7019b966b475c09a4e3218461941c1112ae28028
Resource providers can be configured using the API or CLI, or they
can also be configured on a per-compute node basis using config
files stored in /etc/nova/provider_config.
This patch adds support for a user defined list of provider config
files to be created on the compute nodes. This can be specified in
user_variables or perhaps more usefully in group_vars/host_vars.
A typical use case would be describing the resources made available
as a result of GPU or other hardware installed in a compute node.
Change-Id: I13d70a1030b1173b1bc051f00323e6fb0781872b
This line was introduced by I3046953f3e27157914dbe1fefd78c7eb2ddddcf6
to bring it in line with other OSA roles, but should already be
covered by the distribution_major_version line above.
Change-Id: I21b3972553acf38af205e17aa2d48ed19332bcb0
